From 49c73b06a21f8cd41b37dc6fb79160ef5969c360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Thu, 30 Jan 2020 22:08:43 -0800 Subject: [PATCH] cut down bpf related privileges MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is driven by 3 things: - netd no longer needs setattr, since this is now done by bpfloader - nothing should ever unpin maps or programs - generic cleanups and additional neverallows Test: build, atest Signed-off-by: Maciej Żenczykowski Change-Id: I881cc8bf9fe062aaff709727406c5a51fc363c8e --- private/bpfloader.te | 28 +++++++++++++++++++--------- public/netd.te | 2 +- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/private/bpfloader.te b/private/bpfloader.te index 8271add5b..249f3df72 100644 --- a/private/bpfloader.te +++ b/private/bpfloader.te @@ -3,26 +3,36 @@ type bpfloader, domain; type bpfloader_exec, system_file_type, exec_type, file_type; typeattribute bpfloader coredomain; -# These permission is required for pin bpf program for netd. -allow bpfloader fs_bpf:dir create_dir_perms; -allow bpfloader fs_bpf:file create_file_perms; -allow bpfloader devpts:chr_file { read write }; +# These permissions are required to pin ebpf maps & programs. +allow bpfloader fs_bpf:dir { search write add_name }; +allow bpfloader fs_bpf:file { create setattr }; -# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed -# for retrieving a pinned map when bpfloader do a run time restart. -allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create }; +# Allow bpfloader to create bpf maps and programs. +allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run }; allow bpfloader self:capability { chown sys_admin }; ### ### Neverallow rules ### + +# TODO: get rid of init & vendor_init +neverallow { domain -init -vendor_init } fs_bpf:dir setattr; +neverallow { domain -bpfloader } fs_bpf:dir { write add_name }; +neverallow domain fs_bpf:dir { reparent rename rmdir }; + +# TODO: get rid of init & vendor_init +neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr; +neverallow { domain -bpfloader } fs_bpf:file create; +neverallow domain fs_bpf:file { rename unlink }; + neverallow { domain -bpfloader } *:bpf { map_create prog_load }; neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run; +neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write }; + neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; + neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *; -# only system_server, netd and bpfloader can read/write the bpf maps -neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write }; # No domain should be allowed to ptrace bpfloader neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace; diff --git a/public/netd.te b/public/netd.te index 92c2ed164..8005406d6 100644 --- a/public/netd.te +++ b/public/netd.te @@ -63,7 +63,7 @@ allow netd sysfs_usb:file write; r_dir_file(netd, cgroup_bpf) allow netd fs_bpf:dir search; -allow netd fs_bpf:file { read write setattr }; +allow netd fs_bpf:file { read write }; # TODO: netd previously thought it needed these permissions to do WiFi related # work. However, after all the WiFi stuff is gone, we still need them.